1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
#
# This module decrypts and validates Yubikey static and dynamic
# OTP tokens.
#
yubikey {
#
# The length (number of ASCII bytes) of the Public-ID portion
# of the OTP string.
#
# Yubikey defaults to a 6 byte ID (2 * 6 = 12)
# id_length = 12
#
# If true, the authorize method of rlm_yubikey will attempt to split the
# value of User-Password, into the user's password, and the OTP token.
#
# If enabled and successful, the value of &request:User-Password will be
# truncated and &request:Yubikey-OTP will be added.
#
# split = yes
#
# Decrypt mode - Tokens will be decrypted and processed locally
#
# The module itself does not provide persistent storage as this
# would be duplicative of functionality already in the server.
#
# Yubikey authentication needs two attributes retrieved from
# persistent storage:
# * &control:Yubikey-Key - The AES key used to decrypt the OTP data.
# The Yubikey-Public-Id and/or User-Name
# attributes may be used to retrieve the key.
# * &control:Yubikey-Counter - This is compared with the counter in the OTP
# data and used to prevent replay attacks.
# This attribute will also be available in
# the request list after successful
# decryption.
#
# Yubikey-Counter isn't strictly required, but the server will
# generate warnings if it's not present when yubikey.authenticate
# is called.
#
# These attributes are available after authorization:
# * &request:Yubikey-Public-ID - The public portion of the OTP string.
# and additionally if 'split' is set:
# * &request:Yubikey-OTP - The OTP portion of User-Password.
#
# These attributes are available after authentication (if successful):
# * &request:Yubikey-Private-ID - The encrypted ID included in OTP data,
# must be verified if tokens share keys.
# * &request:Yubikey-Counter - The last counter value (should be recorded).
# * &request:Yubikey-Timestamp - Token's internal clock (mainly useful for
# debugging).
# * &request:Yubikey-Random - Randomly generated value from the token.
#
decrypt = no
#
# Validation mode - Tokens will be validated against a Yubicloud server
#
validate = no
#
# Settings for validation mode.
#
validation {
#
# URL of validation server, multiple URL config items may be used
# to list multiple servers.
#
# - %d is a placeholder for public ID of the token
# - %s is a placeholder for the token string itself
#
# If no URLs are listed, will default to the default URLs in the
# ykclient library, which point to the yubico validation servers.
servers {
# uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
# uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
}
#
# API Client ID
#
# Must be set to your client id for the validation server.
#
# client_id = 00000
#
# API Secret key (Base64 encoded)
#
# Must be set to your API key for the validation server.
#
# api_key = '000000000000000000000000'
#
# Connection pool parameters
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# yubikey server being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Number of uses before the connection is closed
#
# NOTE: A setting of 0 means infinite (no limit).
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 60
# Cycle over all connections in a pool instead of concentrating
# connection use on a few connections.
spread = yes
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}
}
|
